International SOS, which claims to be "the world's largest medical
and security services company," suffered a cyber-attack on its traveler-tracking
system. A source told BTN the
incident took place Aug. 28.
"We detected an unauthorized
access in the U.S. to one of our systems, which hosts traveler information
related to one of our information technology products," according to a
company statement provided to BTN.
"As soon as we were made aware of the incident, we immediately took steps
to investigate and mitigate against further incidents, as well as notified the
appropriate law enforcement authorities. We have proactively communicated to a
limited group of clients whose travelers' data may have potentially been
accessed. This incident remains under investigation and we are committed to
providing further updates to our clients."
International SOS declined to indicate what data was compromised, how
many clients were affected, whether the compromised data has been used for
malicious purposes, which remedies have been taken and what lessons were
learned.
BTN spoke
to representatives of three International SOS clients who confirmed they had
been contacted by the company about the incident.
In its marketing materials, International SOS claims to have "pioneered
travel tracking technology." Generally, a security company like
International SOS works on traveler tracking in cooperation with the client's
travel management company. The TMC usually exports the client's passenger name
records in their entirety to the traveler-tracking company, although payment
information likely is masked. Some companies specify that only flight
information and traveler contact details are transmitted, although even this
information may be valuable to criminals who want to know when a person will
not be at home. It also could be of value for industrial espionage.
Ironically, International SOS delivers public lectures on
cyber-security. On Aug. 5, the company's general manager for group
infrastructure projects Jonathan Bar presented at the Global Business Travel
Association convention in San Diego. Pre-conference information on the session,
titled "Cyber Security Risk Management: A Front-Line
Approach," read in part:
"Corporate information assets, intellectual property and employees'
personal information are at risk every day to malicious attacks and prying
eyes."
The International SOS Data Protection Policy, revised March 2013,
states: "Our customers entrust us
with sensitive personal data such as medical data. Our reputation and ability
to continue serving our customers is dependent on our ability to protect their personal
data. Our excellent reputation is the product of many years work by everyone in
our organization but it can be swiftly damaged unless every day, across the globe,
our employees continually assess, improve and adhere to the data protection
principles in this policy. As our future depends on our reputation, this policy
goes beyond the requirements of the law."
The company's Information Security Policy, also
revised in March 2013, states: "Information Security is a priority at
International SOS. We devote significant resources to ensure the
confidentiality, integrity and availability of our data."
International SOS claims as customers more than 70
percent of the Fortune 500.